3411652615b89bc2c7fa7fb72a4fee1415936eb943ce27eff700278f1f26f50c SOURCES/blktap-9960138790b9d3610b12acd153bba20235efa4f5.tar.gz
+1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e SOURCES/zlib-1.2.3.tar.gz
4e1d15d12dbd3e9208111d6b806ad5a9857ca8850c47877d36575b904559260b SOURCES/grub-0.97.tar.gz
772e4d550e07826665ed0528c071dd5404ef7dbe1825a38c8adbc2a00bca948f SOURCES/lwip-1.3.0.tar.gz
db426394965c48c1d29023e1cc6d965ea6b9a9035d8a849be2750ca4659a3d07 SOURCES/newlib-1.16.0.tar.gz
f60ae61cfbd5da1d849d0beaa21f593c38dac9359f0b3ddc612f447408265b24 SOURCES/pciutils-2.2.9.tar.bz2
fad9414898f727ddb7d14d30d89ca977375e6dddef301aa6f3df74ee766b0235 SOURCES/qemu-xen-4.2.3.tar.gz
69b6a73701383d609ad094a38925004e8595755fb39a6fafd579ba754e8667db SOURCES/xen-4.2.3.tar.gz
-1795c7d067a43174113fdf03447532f373e1c6c57c08d61d9e4e9be5e244b05e SOURCES/zlib-1.2.3.tar.gz
--- /dev/null
+flask: fix reading strings from guest memory
+
+Since the string size is being specified by the guest, we must range
+check it properly before doing allocations based on it. While for the
+two cases that are exposed only to trusted guests (via policy
+restriction) this just uses an arbitrary upper limit (PAGE_SIZE), for
+the FLASK_[GS]ETBOOL case (which any guest can use) the upper limit
+gets enforced based on the longest name across all boolean settings.
+
+This is XSA-84.
+
+Reported-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
+
+--- a/xen/xsm/flask/flask_op.c
++++ b/xen/xsm/flask/flask_op.c
+@@ -53,6 +53,7 @@ static DEFINE_SPINLOCK(sel_sem);
+ /* global data for booleans */
+ static int bool_num = 0;
+ static int *bool_pending_values = NULL;
++static size_t bool_maxstr;
+ static int flask_security_make_bools(void);
+
+ extern int ss_initialized;
+@@ -71,9 +72,15 @@ static int domain_has_security(struct do
+ perms, NULL);
+ }
+
+-static int flask_copyin_string(XEN_GUEST_HANDLE(char) u_buf, char **buf, uint32_t size)
++static int flask_copyin_string(XEN_GUEST_HANDLE(char) u_buf, char **buf,
++ size_t size, size_t max_size)
+ {
+- char *tmp = xmalloc_bytes(size + 1);
++ char *tmp;
++
++ if ( size > max_size )
++ return -ENOENT;
++
++ tmp = xmalloc_array(char, size + 1);
+ if ( !tmp )
+ return -ENOMEM;
+
+@@ -99,7 +106,7 @@ static int flask_security_user(struct xe
+ if ( rv )
+ return rv;
+
+- rv = flask_copyin_string(arg->u.user, &user, arg->size);
++ rv = flask_copyin_string(arg->u.user, &user, arg->size, PAGE_SIZE);
+ if ( rv )
+ return rv;
+
+@@ -210,7 +217,7 @@ static int flask_security_context(struct
+ if ( rv )
+ return rv;
+
+- rv = flask_copyin_string(arg->context, &buf, arg->size);
++ rv = flask_copyin_string(arg->context, &buf, arg->size, PAGE_SIZE);
+ if ( rv )
+ return rv;
+
+@@ -303,7 +310,7 @@ static int flask_security_resolve_bool(s
+ if ( arg->bool_id != -1 )
+ return 0;
+
+- rv = flask_copyin_string(arg->name, &name, arg->size);
++ rv = flask_copyin_string(arg->name, &name, arg->size, bool_maxstr);
+ if ( rv )
+ return rv;
+
+@@ -334,7 +341,7 @@ static int flask_security_set_bool(struc
+ int num;
+ int *values;
+
+- rv = security_get_bools(&num, NULL, &values);
++ rv = security_get_bools(&num, NULL, &values, NULL);
+ if ( rv != 0 )
+ goto out;
+
+@@ -440,7 +447,7 @@ static int flask_security_make_bools(voi
+
+ xfree(bool_pending_values);
+
+- ret = security_get_bools(&num, NULL, &values);
++ ret = security_get_bools(&num, NULL, &values, &bool_maxstr);
+ if ( ret != 0 )
+ goto out;
+
+--- a/xen/xsm/flask/include/conditional.h
++++ b/xen/xsm/flask/include/conditional.h
+@@ -13,7 +13,9 @@
+ #ifndef _FLASK_CONDITIONAL_H_
+ #define _FLASK_CONDITIONAL_H_
+
+-int security_get_bools(int *len, char ***names, int **values);
++#include <xen/types.h>
++
++int security_get_bools(int *len, char ***names, int **values, size_t *maxstr);
+
+ int security_set_bools(int len, int *values);
+
+--- a/xen/xsm/flask/ss/services.c
++++ b/xen/xsm/flask/ss/services.c
+@@ -1900,7 +1900,7 @@ int security_find_bool(const char *name)
+ return rv;
+ }
+
+-int security_get_bools(int *len, char ***names, int **values)
++int security_get_bools(int *len, char ***names, int **values, size_t *maxstr)
+ {
+ int i, rc = -ENOMEM;
+
+@@ -1908,6 +1908,8 @@ int security_get_bools(int *len, char **
+ if ( names )
+ *names = NULL;
+ *values = NULL;
++ if ( maxstr )
++ *maxstr = 0;
+
+ *len = policydb.p_bools.nprim;
+ if ( !*len )
+@@ -1929,16 +1931,17 @@ int security_get_bools(int *len, char **
+
+ for ( i = 0; i < *len; i++ )
+ {
+- size_t name_len;
++ size_t name_len = strlen(policydb.p_bool_val_to_name[i]);
++
+ (*values)[i] = policydb.bool_val_to_struct[i]->state;
+ if ( names ) {
+- name_len = strlen(policydb.p_bool_val_to_name[i]) + 1;
+- (*names)[i] = (char*)xmalloc_array(char, name_len);
++ (*names)[i] = xmalloc_array(char, name_len + 1);
+ if ( !(*names)[i] )
+ goto err;
+- strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len);
+- (*names)[i][name_len - 1] = 0;
++ strlcpy((*names)[i], policydb.p_bool_val_to_name[i], name_len + 1);
+ }
++ if ( maxstr && name_len > *maxstr )
++ *maxstr = name_len;
+ }
+ rc = 0;
+ out:
+@@ -2056,7 +2059,7 @@ static int security_preserve_bools(struc
+ struct cond_bool_datum *booldatum;
+ struct cond_node *cur;
+
+- rc = security_get_bools(&nbools, &bnames, &bvalues);
++ rc = security_get_bools(&nbools, &bnames, &bvalues, NULL);
+ if ( rc )
+ goto out;
+ for ( i = 0; i < nbools; i++ )
--- /dev/null
+From 593bc8c63d582ec0fc2b3a35336106cf9c3a8b34 Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Sun, 12 Jan 2014 14:29:32 +1300
+Subject: [PATCH] xsm/flask: correct off-by-one in
+ flask_security_avc_cachestats cpu id check
+
+This is XSA-85
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Ian Campbell <ian.campbell@citrix.com>
+---
+ xen/xsm/flask/flask_op.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xen/xsm/flask/flask_op.c b/xen/xsm/flask/flask_op.c
+index 4426ab9..22878f5 100644
+--- a/xen/xsm/flask/flask_op.c
++++ b/xen/xsm/flask/flask_op.c
+@@ -457,7 +457,7 @@ static int flask_security_avc_cachestats(struct xen_flask_cache_stats *arg)
+ {
+ struct avc_cache_stats *st;
+
+- if ( arg->cpu > nr_cpu_ids )
++ if ( arg->cpu >= nr_cpu_ids )
+ return -ENOENT;
+ if ( !cpu_online(arg->cpu) )
+ return -ENOENT;
+--
+1.8.5.2
+
--- /dev/null
+From b4c452646efd37b4cd0996256dd0ab7bf6ccb7f6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Mon, 20 Jan 2014 15:51:56 +0000
+Subject: [PATCH] libvchan: Fix handling of invalid ring buffer indices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The remote (hostile) process can set ring buffer indices to any value
+at any time. If that happens, it is possible to get "buffer space"
+(either for writing data, or ready for reading) negative or greater
+than buffer size. This will end up with buffer overflow in the second
+memcpy inside of do_send/do_recv.
+
+Fix this by introducing new available bytes accessor functions
+raw_get_data_ready and raw_get_buffer_space which are robust against
+mad ring states, and only return sanitised values.
+
+Proof sketch of correctness:
+
+Now {rd,wr}_{cons,prod} are only ever used in the raw available bytes
+functions, and in do_send and do_recv.
+
+The raw available bytes functions do unsigned arithmetic on the
+returned values. If the result is "negative" or too big it will be
+>ring_size (since we used unsigned arithmetic). Otherwise the result
+is a positive in-range value representing a reasonable ring state, in
+which case we can safely convert it to int (as the rest of the code
+expects).
+
+do_send and do_recv immediately mask the ring index value with the
+ring size. The result is always going to be plausible. If the ring
+state has become mad, the worst case is that our behaviour is
+inconsistent with the peer's ring pointer. I.e. we read or write to
+arguably-incorrect parts of the ring - but always parts of the ring.
+And of course if a peer misoperates the ring they can achieve this
+effect anyway.
+
+So the security problem is fixed.
+
+This is XSA-86.
+
+(The patch is essentially Ian Jackson's work, although parts of the
+commit message are by Marek.)
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Cc: Joanna Rutkowska <joanna@invisiblethingslab.com>
+---
+ tools/libvchan/io.c | 47 +++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 41 insertions(+), 6 deletions(-)
+
+diff --git a/tools/libvchan/io.c b/tools/libvchan/io.c
+index 2383364..804c63c 100644
+--- a/tools/libvchan/io.c
++++ b/tools/libvchan/io.c
+@@ -111,12 +111,26 @@ static inline int send_notify(struct libxenvchan *ctrl, uint8_t bit)
+ return 0;
+ }
+
++/*
++ * Get the amount of buffer space available, and do nothing about
++ * notifications.
++ */
++static inline int raw_get_data_ready(struct libxenvchan *ctrl)
++{
++ uint32_t ready = rd_prod(ctrl) - rd_cons(ctrl);
++ if (ready >= rd_ring_size(ctrl))
++ /* We have no way to return errors. Locking up the ring is
++ * better than the alternatives. */
++ return 0;
++ return ready;
++}
++
+ /**
+ * Get the amount of buffer space available and enable notifications if needed.
+ */
+ static inline int fast_get_data_ready(struct libxenvchan *ctrl, size_t request)
+ {
+- int ready = rd_prod(ctrl) - rd_cons(ctrl);
++ int ready = raw_get_data_ready(ctrl);
+ if (ready >= request)
+ return ready;
+ /* We plan to consume all data; please tell us if you send more */
+@@ -126,7 +140,7 @@ static inline int fast_get_data_ready(struct libxenvchan *ctrl, size_t request)
+ * will not get notified even though the actual amount of data ready is
+ * above request. Reread rd_prod to cover this case.
+ */
+- return rd_prod(ctrl) - rd_cons(ctrl);
++ return raw_get_data_ready(ctrl);
+ }
+
+ int libxenvchan_data_ready(struct libxenvchan *ctrl)
+@@ -135,7 +149,21 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl)
+ * when it changes
+ */
+ request_notify(ctrl, VCHAN_NOTIFY_WRITE);
+- return rd_prod(ctrl) - rd_cons(ctrl);
++ return raw_get_data_ready(ctrl);
++}
++
++/**
++ * Get the amount of buffer space available, and do nothing
++ * about notifications
++ */
++static inline int raw_get_buffer_space(struct libxenvchan *ctrl)
++{
++ uint32_t ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
++ if (ready > wr_ring_size(ctrl))
++ /* We have no way to return errors. Locking up the ring is
++ * better than the alternatives. */
++ return 0;
++ return ready;
+ }
+
+ /**
+@@ -143,7 +171,7 @@ int libxenvchan_data_ready(struct libxenvchan *ctrl)
+ */
+ static inline int fast_get_buffer_space(struct libxenvchan *ctrl, size_t request)
+ {
+- int ready = wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
++ int ready = raw_get_buffer_space(ctrl);
+ if (ready >= request)
+ return ready;
+ /* We plan to fill the buffer; please tell us when you've read it */
+@@ -153,7 +181,7 @@ static inline int fast_get_buffer_space(struct libxenvchan *ctrl, size_t request
+ * will not get notified even though the actual amount of buffer space
+ * is above request. Reread wr_cons to cover this case.
+ */
+- return wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
++ return raw_get_buffer_space(ctrl);
+ }
+
+ int libxenvchan_buffer_space(struct libxenvchan *ctrl)
+@@ -162,7 +190,7 @@ int libxenvchan_buffer_space(struct libxenvchan *ctrl)
+ * when it changes
+ */
+ request_notify(ctrl, VCHAN_NOTIFY_READ);
+- return wr_ring_size(ctrl) - (wr_prod(ctrl) - wr_cons(ctrl));
++ return raw_get_buffer_space(ctrl);
+ }
+
+ int libxenvchan_wait(struct libxenvchan *ctrl)
+@@ -176,6 +204,8 @@ int libxenvchan_wait(struct libxenvchan *ctrl)
+
+ /**
+ * returns -1 on error, or size on success
++ *
++ * caller must have checked that enough space is available
+ */
+ static int do_send(struct libxenvchan *ctrl, const void *data, size_t size)
+ {
+@@ -248,6 +278,11 @@ int libxenvchan_write(struct libxenvchan *ctrl, const void *data, size_t size)
+ }
+ }
+
++/**
++ * returns -1 on error, or size on success
++ *
++ * caller must have checked that enough data is available
++ */
+ static int do_recv(struct libxenvchan *ctrl, void *data, size_t size)
+ {
+ int real_idx = rd_cons(ctrl) & (rd_ring_size(ctrl) - 1);
+--
+1.7.10.4
+
Summary: Xen is a virtual machine monitor
Name: xen
Version: 4.2.3
-Release: 27%{?dist}
+Release: 28%{?dist}
Group: Development/Libraries
License: GPLv2+ and LGPLv2+ and BSD
URL: http://xen.org/
Patch150: xsa82.patch
Patch151: xsa83.patch
Patch152: xsa87-4.2.patch
+Patch153: xsa84-4.2.patch
+Patch154: xsa85.patch
+Patch155: xsa86.patch
Patch1000: xen-centos-disable-CFLAGS-for-qemu.patch
Patch1001: xen-centos-disableWerror-blktap25.patch
%patch150 -p1
%patch151 -p1
%patch152 -p1
+%patch153 -p1
+%patch154 -p1
+%patch155 -p1
%patch1000 -p1
%endif
%changelog
+* Tue Feb 11 2014 Johnny Hughes <johnny@centos.org> - 4.2.3-28.el6.centos
+- Roll in Patches 153, 154, and 155
+ XSA-84 (CVE-2014-1891, CVE-2014-1892, CVE-2014-1893, CVE-2014-1894)
+ XSA-85 (CVE-2014-1894), XSA-86 (CVE-2014-1896)
+
* Fri Jan 24 2014 Johnny Hughes <johnny@centos.org> - 4.2.3-27.el6.centos
- Roll in patches 151 and 152 for the following XSAs:
XSA-83 (CVE-2104-1642) and XSA-87 (CVE-2014-1666)
projects / people / aperard / centos-package-xen.git / commitdiff